really yar i am wondering about this, there is no direct way to specify maximum sessions for the user like 'maxConcurrentUsers' in spring and there is no direct way to specify the wrong login attempts user locking like 'maxLoginAttempts' even we didnt get in the tutorials also.
i am keep on facing the problem in the utilization of shiroFilter (org.apache.shiro.spring.web.ShiroFilterFactoryBean) becoz as we know the filters that are configured inside of this org.apache.shiro.spring.web.ShiroFilterFactoryBean using the property 'filters' will share the same loginUrl, successUrl, unaotorizedUrl............etc. but out builtin authc (FormAuthenticationFilter) is utilizing only the loginUrl property but remaining properties..... even i checked the samples given by apache shiro and i changed the paths of loginUrl, successUrl, unaotorizedUrl of shiroFilter, only the loginUrl is getting effected but not remaining properties. my configuration is like this. <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager" /> <property name="loginUrl" value="/main/user/performs/login" /> <!--- working-----> <property name="successUrl" value="redirect:/main/welcome1?cat=customermanagement.searchcustomer" /> <!-- NO-> <property name="unauthorizedUrl" value="/main/user/performs/error" /> <!-- NO-> <property name="filters"> <util:map> <entry key="logout"> <bean class="org.apache.shiro.web.filter.authc.LogoutFilter"> <property name="redirectUrl" value="/main/user/performs/login"></property> </bean> </entry> <entry key="authc"> <bean class="org.apache.shiro.web.filter.authc.FormAuthenticationFilter"></bean> </entry> </util:map> </property> <property name="filterChainDefinitions"> <value> /main/user/performs/logout = logout /** = authc </value> </property> </bean> only the loginUrl propery is working but not successUrl,unotherizedUrl............ pls help me if anybody makes me to work this perfectly i am really appreciate and wove u.. thanking u :) On Tue, Jun 18, 2013 at 10:03 PM, Richard Adams <[email protected]>wrote: > Hello, > > We have a new security requirement for our webapp to only allow a user a > single login session at a time. > If the user logs in through another browser or device, the original > session should be closed. > > I've spent some time hunting for a recommended solution using Apache > Shiro 1.2, but most seem home-grown solutions using an application-wide > HashMap of User-Session mappings, checking for existing sessions on each > login. Is this really the best solution or is this too simplistic? > > > In Spring Security, for example, there is an attribute called > 'maxConcurrentUsers' or something like that where this can be configured. > > It would be great if someone expert in Shiro could give a recommended > solution for this seemingly common use-case, at least as far as > integration with > Shiro goes. > > Many thanks, > Richard > > > Richard Adams > [email protected] > > > > > -- Regards,**** Nagaraju.
